Thursday 6th April 2023

CTI Weekly: Insight into Russian cyber-industrial complex, Easter phishing lures, UNC4466’s activities and Genesis Market seized

Key Issue:

Vulkan Files provide unique insight into Russian cyber-industrial complex

A leak of documents from Moscow-based cybersecurity contractor NTC Vulkan has provided unique insights into Russia’s political interference, domestic censorship, cybercrime, and foreign espionage efforts. The leaked documents include project specifications for three separate projects provided by Russia’s Ministry of Defense.

Project Skan is a framework for large-scale, multi-source, partially automated reconnaissance operations. Project Amezit is a highly complex framework for online information control, influence operations, and psychological operations support for OT-related operations. Project Crystal-2B seeks to build a training platform within which coordinated IO/OT attacks against critical utility and transport entities are to be simulated. The leak provides unique insights into Russia’s targeting rationale, training methodology, and tool development, as well as its cyber-industrial complex, private companies, and research institutes.

The leak reaffirms Russia’s interest in critical infrastructure sectors, including energy and transport entities, and indicates an ongoing effort to build capabilities related to the compromise of industrial systems. Entities seeking to defend themselves from Russian threat actors are recommended to build awareness of the information this leak has provided.


Other news:

Seasonal Campaigns

Two Cybercriminal groups have been observed using the upcoming Easter weekend as a topical lure in phishing campaigns in which the threat actors masquerade as the British chocolate maker Cadbury. The website of the US Internal Revenue Service-authorised tax return service provider,, was injected with malicious JavaScript code that downloads a backdoor.



Since at least October 2022, an ALPHV-affiliate, UNC4466, has compromised publicly exposed Veritas Backup Exec installations for initial access to victim environments. The threat actor ‘Midnight Group’ is leveraging the high volume of ransomware and data leak incidents to make fabricated claims to US companies that they have stolen their information.

Researchers have identified a new ransomware strain ‘Rorschach’, which displays technically unique features such as an encryption speed that makes it the fastest observed ransomware payload.


Dark Web

The domains and infrastructure for Genesis Market, one of the most popular marketplaces for stolen credentials, has been seized as part of an international law enforcement operation.




Subscribe below for more and to discover other significant cyber criminals, nation-state and hacktivist news.

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.